Authentication for a Symfony2 api (for mobile app use)

Question

I\'ve developed a REST api for my Symfony2 application. This api will be used by a mobile app. Much of the functionality is done in the context of the currently authenticate

Answer 1

I think you should do it stateless (without cookie).

I had the same problem, what i did:

• in your app/config/security.yml, add:

security:
    ...
    firewalls:
        rest_webservice:
            pattern: /webservice/rest/.*
            stateless: true
            http_basic:
                provider: provider_name
    ...

• Now you can make a request to your webservice:

class AuthTest extends WebTestCase 
{
    public function testAuthenticatedWithWebservice() 
    {
        $client = $this->createClient();

        // not authenticated
        $client->request('GET', '/webservice/rest/url');
        $this->assertEquals(401, $client->getResponse()->getStatusCode());

        // authenticated
        $client->request('GET', '/webservice/rest/url', array(), array(), array(
            'PHP_AUTH_USER' => 'username', 
            'PHP_AUTH_PW' => 'password'
        ));
        $this->assertEquals(200, $client->getResponse()->getStatusCode());
    }
}

Answer 2

Yes Marc, jules is pointing to an example just to show you how to test authentication with http_basic.

To be RESTful you should avoid using cookies, otherwise just call it an API. About how secure is your authentication system you can go with http_digest over https or more secure signed request with api_key/api_secret approach.

Have a look here http://wiki.zanox.com/en/RESTful_API_authentication

Answer 3

Here you are, How to create a custom Authentication Provider awesome article.

To Authentication to a Symfony2 application through api, you need use: WS-Security